Filter looks at the day's top technology news through snapshots and analysis of what the world's media outlets are covering. Washingtonpost.com's new Mon.-Fri. feature is penned by technology reporter Cynthia L. Webb. If a technology story breaks, a company falters or triumphs, or there's a new trend in technology, Filter wants you to know about it.
By Cynthia L. Webb washingtonpost.com Staff Writer
Tuesday, June 15, 2004; 9:32 AM
Type "phish" into your favorite search engine and you'll get plenty of links to fan sites for the cult rock band of the same name. Click into your e-mail inbox, however, and you're likely to come across another kind of phish, one that has Corporate America sounding the red alert.
Today's Wall Street Journal reports that more than a dozen big companies -- including IBM, Tenet Healthcare Corp. and Fidelity Investments -- have linked up to create "the Trusted Electronic Communications Forum, a trade group that is expected to research and promote technical standards to combat phishing." Phishing, of course, involves cleverly crafted e-mail messages and Web sites designed to trick computer users into disclosing sensitive personal information like passwords, credit card numbers and checking accounts.
"Research firm Gartner Group estimates that 57 million U.S. Internet users have received e-mail linked to phishing scams and about 1.8 million may have divulged personal information as a result," the Journal reported. "And the problem is increasing: In research conducted in April, Gartner found that 76% of all known or suspected phishing attacks had taken place in the previous six months." The newspaper also noted that "Citigroup Inc.'s Citibank unit, eBay Inc. and its PayPal unit were the three organizations targeted most often by phishing scams in April, according to the Anti-Phishing Working Group another industry association, with 400 members from over 250 organizations. Financial-services institutions represented 15 of the 20 most-targeted organizations in April, according to the group."
• The Wall Street Journal: Firms Join Up To Combat Web Fraud (Subscription required)
MSNBC yesterday reported on additional Gartner research on phishing and how rampant the problem has become for bank account holders: "Nearly 2 million Americans have had their checking accounts raided by criminals in the past 12 months, according to a soon-to-be released survey by market research group Gartner. Consumers reported an average loss per incident of $1,200, pushing total losses higher than $2 billion for the year." Gartner based its findings on a survey that questioned 5,000 Internet users in April. "Gartner researcher Avivah Litan blamed online banking for most of the problem. 'There has been a big increase in the abuse of existing checking accounts,' Litan said. 'What's really scary about it is right now there are no back-end fraud detection solutions for it.'"
• MSNBC: Survey: 2 Million Bank Accounts Robbed
In a separate article, The Wall Street Journal also reported on the new Gartner study: "The Stamford, Conn., research firm says that online scams known as 'phishing' appear to be responsible for a portion of the checking account fraud. Gartner says that most victims were unsure exactly how the checking account-related crimes were perpetrated, but that 70% of the victims pay bills or bank online. The research firm acknowledges that banks usually refund any money lost to fraud victims, but calls on banks to increase their protections against checking account fraud. The research firm estimates that about 5.68 million adult U.S. Internet users fell victim to credit-card fraud during the 12 months ending in April. In absolute terms, that is greater than those hit by unauthorized checking account access, but it appears to have stabilized from previous years."
• The Wall Street Journal: Nearly 2 Million Americans Fall Victim To Bank Fraud (Subscription required)
And more on the rising phishing trend from the MSNBC article: "Phishing attempts designed specifically to steal bank information began to skyrocket about 10 months ago, according to Dave Jevans, chair of the Anti-Phishing Working Group. Overall, phishing e-mails have jumped 4,000 percent in the past six months, and just last month, Citibank overtook eBay as the most common target. The company faced an average of 16 attacks per day, and 475 separate phishing attacks during April, an increase of nearly 400 percent from March. Citibank didn't immediately return requests for comment. 'It's working, there's no doubt about that...There's people who are under constant siege now,' Jevans said. 'It's like people setting up fake ATMs everywhere.' Some days, banks are targeted dozens of times, which not only leads to identity theft, but also jam-packed customer service telephone lines. 'Clearly the issues are far more significant than anyone expected they would be. Phishing and spoofing (setting up look-alike bank Web sites) are really getting to people,' said Larry Ponemon, founder of privacy think tank Ponemon Institute, and a bank consultant. 'It is an epidemic. It's a very big problem.'"
So Long E-mail?
Phishing is just one threat that criminals aim at e-mail accounts worldwide, along with a rising tide of viruses and worms that collectively are giving the communication tool a bad rap. "As a major e-mail conference convenes here this week, there is a growing belief that e-mail -- the vaunted 'killer app' -- is in deep trouble. 'It increasingly is broken,' Silicon Valley venture capitalist Steve Jurvetson says. 'Spam, fraud, phishing schemes, all this other stuff is more than an annoyance. The future of the medium is at stake,'" USA Today wrote yesterday. "E-mail is evolving into a hacking tool that threatens its usefulness for communications and commerce, security experts say. An avalanche of junk e-mail, scams to filch personal information and sophisticated computer viruses cost more than $15 billion in personal losses and lost workplace productivity last year, market researchers say."
• USA Today: Is The Future of E-mail Under Cyberattack?
About.com has an Internet and network security blog with an entry by computer security expert Tony Bradley stressing the users are part of the problem. He writes: "Ed Skoudis, author of Counter Hack and the Hack - Counter Hack Training Course, says 'Both. Users often respond to even lame attempts at phishing, which sometimes include e-mail solicitations full of typos, bad grammar, and other obvious signs that they are not legit. Beyond users, though, the technology doesn't really support us enough in determining what is a real site. Phishers use all sorts of tricks to disguise their URLs and fool browsers. Getting a legit-looking SSL certificate is trivial. Many users blindly click "accept" when they get an SSL [CERT] warning. Because SSL puts all trust decisions in the hands of users, it's really easy to pull off a phishing attack that uses HTTPS. That's because of a combo of user ignorance and technical limitations. And that's only one example.'" The same entry also has a list of five steps to take to ward off phishing attacks.
A Windows IE Connection
Internet scam artists often take advantage of flaws in widely used Internet browsers (read "Internet Explorer"). The U.S. Computer Emergency Response Teamissued an alert late Friday saying that Microsoft is working to fix an IE flaw that could allow online criminals to take control of a user's computer. BBC News Online described more: "Problems arise when a user unknowingly clicks on a bogus web link, triggering a download of software. Malicious hackers could then have access to data and files on the PC. The danger lies in the fact that the links can be disguised to look like bona fide URL and the software is installed without raising any alarms."
• BBC News Online: Microsoft Races To Plug IE Hole • ZDNet UK: Microsoft IE Bug Leaves Users Vulnerable To Phishing
